A recent ALJ Initial Decision may prove significant in data breach litigation and provide further aid to companies battling class actions with claims of future injury through identity theft. On November 13, 2015, the administrative law judge hearing the FTC’s action against medical testing laboratory LabMD dismissed the FTC’s case in its entirety. See In re LabMD, Inc., F.T.C. ALJ, No. 9357 (Nov. 13, 2015). The action had its genesis in an investigation of LabMD’s security practices. The investigation began after a report that information from LabMD may have been disclosed on a file-sharing website. The FTC asserted that LabMD had failed to properly protect sensitive data and that information gleaned from its records was being used for identity theft purposes.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Jeremy Petersonhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngJeremy Peterson2015-12-01 11:38:142015-12-01 11:38:14FTC’s Action Against LabMD Dismissed Due to Inadequate Evidence of Harm; FTC Appeals
On October 16, the United States Attorney’s Office for the District of Massachusetts filed a criminal information against a former Warner Chilcott district manager alleging that he had obtained and used patient protected health information (PHI) in violation of the criminal provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The information alleges that this criminal violation occurred in connection with a scheme to promote Warner Chilcott’s osteoporosis drug Atelvia. The charge against former employee Landon Eckles is significant because it appears to be the first time a criminal prosecution under HIPAA has been brought against an employee of a pharmaceutical manufacturer for an alleged HIPAA privacy violation. Eckles pleaded guilty to the charges on November 12.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Meenakshi Dattahttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngMeenakshi Datta2015-11-25 15:23:292022-10-19 13:17:57Employee of Pharmaceutical Manufacturer Criminally Charged with Wrongful Disclosure of Patient Information for Marketing Purpose
*Based on Remarks at the Big Data East Big Data Innovation Conference, September 9, 2015
I believe in the enormous potential of big data. Erik Brynolfsson and Andrew McAfee, authors of The New Machine Age and leading scholars of the digital economy, have compared the power and granularity of computational science to the transformation in understanding of nature that occurred when Anton Van Leuwenhook first peered at samples through his newly-invented microscope. We are seeing new advances in medicine, in social science, new ways of teasing out causation from correlation.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Ryan Unsworthhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngRyan Unsworth2015-11-19 16:35:292015-11-19 16:35:29The Opportunities and the Challenges of Big Data for Business and Public Policy*
Last week, the New Zealand Ministry of Foreign Affairs & Trade has made public the text of the Trans-Pacific Partnership (TPP) Agreement. While the text of the TPP has been negotiated over the past seven years, several provisions relating to electronic commerce are remarkably timely and address key considerations for companies doing business abroad. Highlighted below are key initial takeaways from Article 14 of the TPP, on “Electronic Commerce:”
In a November 9, 2015 letter to members of the Financial and Banking Information Infrastructure Committee (“FBIIC”), the Acting Superintendent of the New York Department of Financial Services (“NY DFS”) outlined key elements of potential new regulations by the NY DFS addressing cybersecurity risk (“Cybersecurity Proposal”) and encouraged FBIIC members to work with the NY DFS in developing a comprehensive cybersecurity framework for all regulated financial institutions. The NY DFS regulates entities and products that are subject to New York insurance, banking and financial services laws. The FBIIC is composed of state and federal agencies that regulate companies and products in the financial services sector, including the U.S. Securities and Exchange Commission (“SEC”), the Office of the Comptroller of the Currency (“OCC”) and the National Association of Insurance Commissioners (“NAIC”). The stated goal of the NY DFS is to stimulate dialogue among federal and state financial regulators to promote collaboration and, ultimately, regulatory convergence.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Ryan Unsworthhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngRyan Unsworth2015-11-17 21:00:562015-11-17 21:00:56New York Department of Financial Services Considers New Cybersecurity Regulations and Seeks to Promote Federal-State Regulatory Convergence – Would Go Well Beyond Protecting Customer Information
On November 5, 2015, the Federal Communications Commission (“FCC” or “Commission”) issued its first ever privacy or data security enforcement order against a cable provider, Cox Communications, Inc. (“Cox”). The order adopted a consent decree entered into with the company, fining the company $595,000 for the breach. The order sets out that in August 2014, a hacker used social engineering tactics, or “pretexting,” to impersonate someone from Cox’s information technology department in a phishing scheme to successfully convince a Cox contractor to enter an account ID and password into a fake website which the hackers controlled. Without multi-factor authentication in place for the targeted systems, the hacker and an accomplice were able to use those captured credentials to obtain the personal information and /or Customer Proprietary Network Information (“CPNI”) of 54 current and seven former customers. Cox notified the FBI of the breach, but did not notify the FCC through the Commission’s breach-reporting portal.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Ryan Unsworthhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngRyan Unsworth2015-11-17 10:17:372015-11-17 10:17:37FCC Enforcement Bureau Issues First Privacy Enforcement Order Against a Cable Operator
On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Jeremy Petersonhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngJeremy Peterson2015-11-09 11:18:502015-11-09 11:18:50Senate Passes Cybersecurity Legislation, Differences to be Worked Out with House Bills
On October 29, 2015, the European Parliament adopted a resolution on the electronic mass surveillance of EU citizens (the “Resolution”). Positioned as a follow-up to its resolution of 12 March 2014 in which the Parliament called for the immediate suspension of Safe Harbor and put forward a number of recommendations to limit access to personal data of European citizens as part of mass surveillance, the Resolution calls on the European Commission to “reflect immediately on alternatives to Safe Harbor and on the impact of the judgment [from the Court of Justice of the European Union in the Schrems case] on any other instruments for the transfer of personal data to the U.S.” It also calls for the European Commission to “report on the matter by the end of 2015.” In addition, the European Parliament demanded that the Commission urgently provide an update on the ongoing negotiations between US authorities and the Commission.
FTC’s Action Against LabMD Dismissed Due to Inadequate Evidence of Harm; FTC Appeals
A recent ALJ Initial Decision may prove significant in data breach litigation and provide further aid to companies battling class actions with claims of future injury through identity theft. On November 13, 2015, the administrative law judge hearing the FTC’s action against medical testing laboratory LabMD dismissed the FTC’s case in its entirety. See In re LabMD, Inc., F.T.C. ALJ, No. 9357 (Nov. 13, 2015). The action had its genesis in an investigation of LabMD’s security practices. The investigation began after a report that information from LabMD may have been disclosed on a file-sharing website. The FTC asserted that LabMD had failed to properly protect sensitive data and that information gleaned from its records was being used for identity theft purposes.
(more…)
Elise Young
eyoung@sidley.com
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Employee of Pharmaceutical Manufacturer Criminally Charged with Wrongful Disclosure of Patient Information for Marketing Purpose
On October 16, the United States Attorney’s Office for the District of Massachusetts filed a criminal information against a former Warner Chilcott district manager alleging that he had obtained and used patient protected health information (PHI) in violation of the criminal provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The information alleges that this criminal violation occurred in connection with a scheme to promote Warner Chilcott’s osteoporosis drug Atelvia. The charge against former employee Landon Eckles is significant because it appears to be the first time a criminal prosecution under HIPAA has been brought against an employee of a pharmaceutical manufacturer for an alleged HIPAA privacy violation. Eckles pleaded guilty to the charges on November 12.
(more…)
Meenakshi Datta
Chicago
mdatta@sidley.com
Anna Spencer
aspencer@sidley.com
William Sarraille
Washington, D.C.
wsarraille@sidley.com
Claudia Kraft
ckraft@sidley.com
The Opportunities and the Challenges of Big Data for Business and Public Policy*
*Based on Remarks at the Big Data East Big Data Innovation Conference, September 9, 2015
I believe in the enormous potential of big data. Erik Brynolfsson and Andrew McAfee, authors of The New Machine Age and leading scholars of the digital economy, have compared the power and granularity of computational science to the transformation in understanding of nature that occurred when Anton Van Leuwenhook first peered at samples through his newly-invented microscope. We are seeing new advances in medicine, in social science, new ways of teasing out causation from correlation.
(more…)
Cameron F. Kerry
ckerry@sidley.com
Trans-Pacific Partnership Agreement Touches Global Electronic Commerce
Last week, the New Zealand Ministry of Foreign Affairs & Trade has made public the text of the Trans-Pacific Partnership (TPP) Agreement. While the text of the TPP has been negotiated over the past seven years, several provisions relating to electronic commerce are remarkably timely and address key considerations for companies doing business abroad. Highlighted below are key initial takeaways from Article 14 of the TPP, on “Electronic Commerce:”
(more…)
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Vivek K. Mohan
vmohan@sidley.com
New York Department of Financial Services Considers New Cybersecurity Regulations and Seeks to Promote Federal-State Regulatory Convergence – Would Go Well Beyond Protecting Customer Information
In a November 9, 2015 letter to members of the Financial and Banking Information Infrastructure Committee (“FBIIC”), the Acting Superintendent of the New York Department of Financial Services (“NY DFS”) outlined key elements of potential new regulations by the NY DFS addressing cybersecurity risk (“Cybersecurity Proposal”) and encouraged FBIIC members to work with the NY DFS in developing a comprehensive cybersecurity framework for all regulated financial institutions. The NY DFS regulates entities and products that are subject to New York insurance, banking and financial services laws. The FBIIC is composed of state and federal agencies that regulate companies and products in the financial services sector, including the U.S. Securities and Exchange Commission (“SEC”), the Office of the Comptroller of the Currency (“OCC”) and the National Association of Insurance Commissioners (“NAIC”). The stated goal of the NY DFS is to stimulate dialogue among federal and state financial regulators to promote collaboration and, ultimately, regulatory convergence.
(more…)
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Edward R. McNicholas
emcnicholas@sidley.com
Andrew R. Holland
New York
aholland@sidley.com
Charlene McHugh
cmchugh@sidley.com
FCC Enforcement Bureau Issues First Privacy Enforcement Order Against a Cable Operator
On November 5, 2015, the Federal Communications Commission (“FCC” or “Commission”) issued its first ever privacy or data security enforcement order against a cable provider, Cox Communications, Inc. (“Cox”). The order adopted a consent decree entered into with the company, fining the company $595,000 for the breach. The order sets out that in August 2014, a hacker used social engineering tactics, or “pretexting,” to impersonate someone from Cox’s information technology department in a phishing scheme to successfully convince a Cox contractor to enter an account ID and password into a fake website which the hackers controlled. Without multi-factor authentication in place for the targeted systems, the hacker and an accomplice were able to use those captured credentials to obtain the personal information and /or Customer Proprietary Network Information (“CPNI”) of 54 current and seven former customers. Cox notified the FBI of the breach, but did not notify the FCC through the Commission’s breach-reporting portal.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Edward R. McNicholas
emcnicholas@sidley.com
Marc A. Korman
Washington, D.C.
mkorman@sidley.com
Senate Passes Cybersecurity Legislation, Differences to be Worked Out with House Bills
On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.
(more…)
Clayton G. Northouse
cnorthouse@sidley.com
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Grady Nye
gnye@sidley.com
European Parliament Adopts Surveillance Resolution Aimed at Mass Surveillance and Prompting Progress on Safe Harbor 2.0
On October 29, 2015, the European Parliament adopted a resolution on the electronic mass surveillance of EU citizens (the “Resolution”). Positioned as a follow-up to its resolution of 12 March 2014 in which the Parliament called for the immediate suspension of Safe Harbor and put forward a number of recommendations to limit access to personal data of European citizens as part of mass surveillance, the Resolution calls on the European Commission to “reflect immediately on alternatives to Safe Harbor and on the impact of the judgment [from the Court of Justice of the European Union in the Schrems case] on any other instruments for the transfer of personal data to the U.S.” It also calls for the European Commission to “report on the matter by the end of 2015.” In addition, the European Parliament demanded that the Commission urgently provide an update on the ongoing negotiations between US authorities and the Commission.
(more…)
William RM Long
London
wlong@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Upcoming Events
Resources
Meet the Team
Kwaku A. Akowuah
kakowuah@sidley.com
Sheila A.G. Armbrust
sarmbrust@sidley.com
Francesca Blythe
fblythe@sidley.com
Colleen Theresa Brown
ctbrown@sidley.com
John M. Casanova
jcasanova@sidley.com
Thomas D. Cunningham
tcunningham@sidley.com
Tomoki Ishiara
tishiara@sidley.com
Amy P. Lally
alally@sidley.com
David C. Lashway
dlashway@sidley.com
William RM Long
wlong@sidley.com
Joan M. Loughnane
jloughnane@sidley.com
Geeta Malhotra
gmalhotra@sidley.com
Alan Charles Raul
araul@sidley.com
Sean Royall
sroyall@sidley.com
Jennifer B. Seale
jseale@sidley.com
Yuet Ming Tham
ytham@sidley.com
John K. Van De Weert
jvandeweert@sidley.com
Jonathan M. Wilan
jwilan@sidley.com
John W. Woods Jr.
jwoods@sidley.com